Connect with us

Hi, what are you looking for?



BlackEnergy, KillDisk Infect Ukrainian Mining, Railway Systems

Researchers at security firm Trend Micro have found evidence suggesting that pieces of malware involved in the recent attacks against Ukraine’s energy sector have been used to target other types of organizations as well.

Researchers at security firm Trend Micro have found evidence suggesting that pieces of malware involved in the recent attacks against Ukraine’s energy sector have been used to target other types of organizations as well.

The Russia-linked BlackEnergy malware, known to target SCADA systems in Europe and the United States, and KillDisk, a plugin designed to destroy files and make systems inoperable, were spotted last year in attacks aimed at Ukraine’s energy sector. Ukrainian authorities accused Russia of being behind the attacks that resulted in significant power outages.

An analysis of the campaign revealed that while BlackEnergy and KillDisk had been found on the targeted systems, the malware was likely not directly responsible for the outages.

Trend Micro reported on Thursday that its researchers spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator. Experts believe these attacks were conducted by the same threat actor that targeted the country’s power companies.

In the case of the infections at the Ukrainian mining company, experts uncovered several samples whose name and functionality was similar to the samples spotted in the power utility attacks. The malware, used in November and December 2015, communicated with some of the same command and control (C&C) servers observed in the energy attacks.

The security firm noticed that the systems of the same mining company were also infected with multiple variants of KillDisk. The samples don’t match the ones used in the energy attacks exactly, but they do exhibit the same functionality.

Trend Micro also spotted KillDisk infections on the systems of a Ukrainian railway company that is part of the country’s national railway system. The KillDisk sample found by researchers matched one used in the electric utility attacks.

“This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” Trend Micro senior threat researcher, Kyle Wilhoit, said in a blog post.

Advertisement. Scroll to continue reading.

Based on the similarities between the samples, naming conventions, infrastructure overlaps, and the timing of the attacks, experts believe the same threat actor targeted all of these Ukrainian organizations, and they have several theories about the attacker’s goals.

“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”

The United States is concerned that attacks like the one aimed at Ukraine’s energy sector could be launched against its own critical infrastructure. While the US government has so far refrained from officially pointing the finger at Russia for the Ukraine cyberattacks, CNN reported on Thursday that Elizabeth Sherwood-Randall, Deputy Secretary at the Department of Energy, told a gathering of power grid industry execs that Russia is behind the attacks.

Robert M. Lee, founder and CEO of Dragos Security, told SecurityWeek last month that while attacks like the ones in Ukraine could be launched against European countries and the United States, they would likely result in less significant damage.

Related: Attackers Use Word Docs to Deliver BlackEnergy Malware

Related: Ukraine Accuses Russia of Cyber Attack on Kiev Airport

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...